There has been much ado in the tech press lately about the Secure Boot feature in Windows 8; with some calling it a wonderful boon to security and others convinced it’s evil incarnate, designed for the sole purpose of locking out the possibility of installing Linux on computers that come with Windows 8. Many computer hobbyists are up in arms about it, but what are the implications – both good and bad – for businesses? That’s what we’ll talk about in this article.
UEFI: This is not your father’s BIOS
Before you can understand Secure Boot and how it works, you have to understand UEFI, the Unified Extensible Firmware Interface. And before you can understand EUFI, you need to have an understanding of how the BIOS (Basic Input/Output System) worked in computers of the past, because the UEFI was created as a replacement for and improvement on the old BIOS.
We’re getting deeply into hardware territory here, but as an IT pro, you’ve likely had more than a passing acquaintance with the BIOS over the years, as the BIOS settings often have to be modified to enable features that you might want to use on your company’s servers and workstations. The BIOS is the first system software that runs when the computer starts up, and it runs the POST (Power On Self-Test) that checks all the system components to verify that they’re present and working correctly. The BIOS software is installed in a chip on the motherboard. It’s called “firmware” because it is rarely modified. In early computers, the BIOS was stored in Read Only Memory (ROM) and couldn’t be changed. On later systems, it’s stored in Erasable Programmable ROM (EPROM) or flash memory, and can be updated (“flashing the BIOS”) to add functionality.
The EUFI was originally created by Intel to address the limitations of the traditional BIOS (they first called it the Intel Boot Initiative) as part of their Itanium servers. It later became the Extensible Firmware Interface (EFI), which evolved into UEFI and the specification is a standard that’s handled by a non-profit organization with representatives of Intel, AMD, Microsoft, Apple, Dell, HP, IBM and others, called the Unified EFI Forum.
The UEFI performs the same functions as the BIOS but it differs from the BIOS in that it provides faster boot times and its use of a GUID Partition Table (GPT) for booting from disks more than 2 TB in size, as well as networking prior to loading of the operating system, and architecture and drivers that are not dependent on the processor. The UEFI supports 32 and 64 bit processors and can be used with Itanium, x86, x64 and ARM processors.
How UEFI enables Secure Boot
Unlike the traditional BIOS, the UEFI can implement a security policy; this is the UEFI secure boot protocol that uses PKI (Public Key Infrastructure) to authenticate images that load during the boot process. Why is this useful? Attackers keep devising new ways to circumvent traditional anti-virus/anti-malware software. Boot loader attacks use the boot process to load malicious code masquerading as a legitimate operating system, prior to the loading of the real OS.
Here’s how it works: It’s up to the hardware vendor to enable or disable the secure boot protocol in the UEFI of its systems. If secure boot protocol is enabled, the digital signing keys for the legitimate operating system(s) are installed in the firmware. The secure boot protocol checks, when software is loaded, to ensure that it has been signed by one of the keys that are installed.
Keys for multiple operating systems (or drivers or other executables) can be installed in a system’s firmware. However, there is not a centralized authority for the signing of UEFI keys. Once again, it’s up to the hardware vendor to install the keys in the system’s firmware. If users could easily add additional keys, then malware would be able to add keys, too, and that would defeat the whole purpose of secure boot.
If Secure Boot is enabled, each time a system’s power is turned on or reset, the firmware checks the hardware peripherals and checks the operating system loaders’ certificates for a match in the database of “allowed” components that the OEM stores in the firmware. There is also a “disallowed” database that contains hashes of known malware.
Why it’s controversial
Many computer hobbyists, especially those who are fans of Linux, are not happy with the way Microsoft is implementing Secure Boot in Windows 8. There are numerous blog posts proclaiming the danger that Secure Boot poses to free/open source software. There is a Facebook group called “Stop the Windows 8 secure boot implementation.”
Their complaints are that 1) Microsoft will require hardware vendors to enable Secure Boot on machines in order to obtain the Windows 8 compatibility logo and 2) Microsoft is leaving it up to the hardware vendors as to whether the user will be able to disable the feature, and whether/what other operating system certificates will be installed in the firmware.
The problem (for those who want to install a different OS) comes when a vendor doesn’t provide a way to disable Secure Boot in the Setup menu and doesn’t install certificates for any OS other than Windows. In that case, those who buy the computers won’t be able to install Linux, either in a dual boot configuration or by formatting and replacing Windows with it. This possible narrowing of choices has the Free Software Foundation soliciting signatures for a petition to urge computer makers to provide a way for users to disable Secure Boot and/or install an alternative OS with Secure Boot enabled.
Meanwhile, those who make Linux distributions are dealing with it in different ways. Tim Burke, Vice President of Linux Engineering at Red Hat, tried to reassure the company’s users in his blog post in early June, explaining that Red Hat and the Linux Foundation had worked with Microsoft to develop a mechanism for using Microsoft’s key signing services to register Red Hat/Fedora keys so those operating systems can be installed on Windows 8 computers. Canonical, which distributes Ubuntu, will use a boot loader signed with a Microsoft key, and then will boot Canonical’s own boot loader. So it appears that users should have no problems installing at least these two very popular distros of Linux on Windows 8 machines.
Even Linus Torvalds, the “father of Linux,” has weighed in with his opinion that Secure Boot won’t keep people from installing Linux, although he believes the technology will eventually be hacked.
Note that the above discussion applies to desktop and laptop computers running Windows 8 or Windows 8 Pro editions. Windows RT on ARM devices is a different story. Microsoft’s hardware certification specifications mandate that ARM-based mobile devices (such as their own Surface tablet that was introduced on June 18th, as well as Windows RT tablets made by other hardware vendors) will not allow for disabling Secure Boot.
How it affects the IT department
In many cases, corporate IT departments won’t be hindered by the Secure Boot feature because most companies will be using only Windows 8 on the systems they purchase with that OS installed. Few business users dual boot into multiple operating systems. Those workers who need to work with different operating systems usually have separate machines for them, or install the second OS in a virtual machine so they can access it without having to boot out of the first OS.
Since it would present serious security issues for users to be able to install a second operating system on their computers, Secure Boot is beneficial to IT; it helps you maintain more control and prevent rogue OS installations on your network. In addition, the function for which it is intended – preventing the installation of rootkit/bootkit type malware – will benefit IT departments by helping to protect your systems from this insidious and difficult-to-detect type of malicious software.
What about companies that might want to install older versions of Windows (such as Windows 7) on Windows 8-certified computers? Back last year, a post on the Building Windows 8 blog said that “For the enthusiast who wants to run older operating systems, the option (disabling secure boot) is there to allow you to make that decision.” Obviously another solution would be for hardware vendors to include certificates/keys for previous versions of Windows, popular versions of Linux, etc. This would be the preferred situation because then you don’t lose the malware protection of Secure Boot.
Generally, hardware vendors work with businesses – especially large businesses – to provide customized systems that fit the organization’s needs. The vendor’s Secure Boot implementation – and whether/how it can be customized with additional keys – will be one more question to ask when purchasing new systems. Thus it will be important in the planning process for you to determine how systems are to be deployed and whether you will have systems that need to dual boot or that you might at some time want to switch over to a different operating system.